Contents

Introduction

This document describes how to perform packet captures on the Cisco Content Security appliances.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Cisco Email Security Appliance (ESA)

Cisco Web Security Appliance (WSA)

Cisco Security Management Appliance (SMA)

AsyncOS

Components Used

The information in this document is base on all versions of AsyncOS.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

How do you perform a packet capture on a Cisco Content Security appliance?

Complete these steps in order to perform a packet capture (tcpdump command) with the GUI:

Navigate to Help and Support > Packet Capture on the GUI.

Edit the packet capture settings as required, such as the network interface on which the packet capture runs. You can use one of the predefined filters, or you can create a custom filter with the use of any syntax that is supported by the Unix tcpdump command.

Click Start Capture in order to begin the capture.

Click Stop Capture in order to end the capture.

Download the packet capture.

Complete these steps in order to perform a packet capture (tcpdump command) with the CLI:

Enter this command into the CLI:

wsa.run> packetcapture

Status: No capture running

Current Settings:

Max file size: 200 MB

Capture Limit: None (Run Indefinitely)

Capture Interfaces: Management

Capture Filter: (tcp port 80 or tcp port 3128)

Choose the operation that you want to perform:

- START - Start packet capture.

- SETUP - Change packet capture settings.

[]> setup

Enter the maximum allowable size for the capture file (in MB):

[200]> 200

Do you want to stop the capture when the file size is reached? (If not, a new file will be started and the older capture data will be discarded.)

[N]> n

The following interfaces are configured:

1. Management

2. T1

3. T2

Enter the name or number of one or more interfaces from which to capture packets, separated by commas:

[1]> 1

Enter the filter that you want to use for the capture. Enter the word CLEAR in order to clear the filter and capture all of the packets on the selected interfaces.